CVE-2026-33578

CRITICAL NVD

CVSS Score 9.8

Severity CRITICAL

Published Mar 31, 2026

Vendor unknown

Description

OpenClaw before 2026.3.28 contains a sender policy bypass vulnerability in the Google Chat and Zalouser extensions where route-level group allowlist policies silently downgrade to open policy. Attackers can exploit this policy resolution flaw to bypass sender restrictions and interact with bots despite configured allowlist restrictions.

References

https://github.com/openclaw/openclaw/commit/e64a881ae0fb8af18e451163f4c2d611d60cc8e4
https://github.com/openclaw/openclaw/security/advisories/GHSA-63mg-xp9j-jfcm
https://www.vulncheck.com/advisories/openclaw-sender-policy-allowlist-bypass-via-policy-downgrade-in-google-chat-and-zalouser-extensions